github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-19 17:14:26 +00:00
Code Issues Projects Releases Wiki Activity

Change filter_warning_resolver to use warning codes

Browse Source 
Now that we have a result struct and set of warning codes, change the
filter_warning_resolver to use them. This involves populating a set of
warning codes instead of strings.

Also, the methods to format warnings into human-readable strings is
now in the falco_load_result static methods, so move the text there
and remove the methods here.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2022-06-15 16:25:39 -07:00
committed by poiana
parent 0066ba49ea
commit bb44d992ab
3 changed files with 10 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/engine/test_filter_warning_resolver.cpp
View File

@@ -19,7 +19,7 @@ limitations under the License.
static bool warns(const std::string& condition) static bool warns(const std::string& condition)
{ {
std::set<std::string> w; std::set<falco::load_result::warning_code> w;
auto ast = libsinsp::filter::parser(condition).parse(); auto ast = libsinsp::filter::parser(condition).parse();
filter_warning_resolver().run(ast, w); filter_warning_resolver().run(ast, w);
delete ast; delete ast;

25
userspace/engine/filter_warning_resolver.cpp
View File

@@ -17,8 +17,9 @@ limitations under the License.
#include <sinsp.h> #include <sinsp.h>
#include "filter_warning_resolver.h" #include "filter_warning_resolver.h"
using namespace falco;
static const char* no_value = "<NA>"; static const char* no_value = "<NA>";
static const char* warn_unsafe_na_check = "unsafe-na-check";
static inline bool is_unsafe_field(const string& f) static inline bool is_unsafe_field(const string& f)
{ {
@@ -34,7 +35,7 @@ static inline bool is_equality_operator(const string& op)
bool filter_warning_resolver::run( bool filter_warning_resolver::run(
libsinsp::filter::ast::expr* filter, libsinsp::filter::ast::expr* filter,
std::set<string>& warnings) const std::set<load_result::warning_code>& warnings) const
{ {
visitor v; visitor v;
auto size = warnings.size(); auto size = warnings.size();
@@ -44,22 +45,6 @@ bool filter_warning_resolver::run(
return warnings.size() > size; return warnings.size() > size;
} }
// todo(jasondellaluce): use an hard-coded map once we support more warnings
bool filter_warning_resolver::format(
const std::string& code,
std::string& out) const
{
if (code == warn_unsafe_na_check)
{
out = "comparing a field value with <NA> is unsafe and can lead to "
"unpredictable behavior of the rule condition. If you need to "
" check for the existence of a field, consider using the "
"'exists' operator instead.";
return true;
}
return false;
}
void filter_warning_resolver::visitor::visit( void filter_warning_resolver::visitor::visit(
libsinsp::filter::ast::binary_check_expr* e) libsinsp::filter::ast::binary_check_expr* e)
{ {
@@ -76,7 +61,7 @@ void filter_warning_resolver::visitor::visit(
{ {
if (m_is_equality_check && e->value == no_value) if (m_is_equality_check && e->value == no_value)
{ {
m_warnings->insert(warn_unsafe_na_check); m_warnings->insert(load_result::LOAD_UNSAFE_NA_CHECK);
} }
} }
@@ -86,6 +71,6 @@ void filter_warning_resolver::visitor::visit(
if (m_is_equality_check if (m_is_equality_check
&& std::find(e->values.begin(), e->values.end(), no_value) != e->values.end()) && std::find(e->values.begin(), e->values.end(), no_value) != e->values.end())
{ {
m_warnings->insert(warn_unsafe_na_check); m_warnings->insert(load_result::LOAD_UNSAFE_NA_CHECK);
} }
} }

32
userspace/engine/filter_warning_resolver.h
View File

@@ -21,6 +21,7 @@ limitations under the License.
#include <set> #include <set>
#include <memory> #include <memory>
#include "falco_common.h" #include "falco_common.h"
#include "falco_load_result.h"
/*! /*!
\brief Searches for bad practices in filter conditions and \brief Searches for bad practices in filter conditions and
@@ -42,40 +43,13 @@ public:
*/ */
bool run( bool run(
libsinsp::filter::ast::expr* filter, libsinsp::filter::ast::expr* filter,
std::set<std::string>& warnings) const; std::set<falco::load_result::warning_code>& warnings) const;
/*!
\brief Given a warning code retrieved through run(), returns
a verbose message describing the problem of the warning.
\param code The warning code string
\param out The string to be filled-out with the warning message
\return true if the warning code is recognized, false otherwise
*/
bool format(const std::string& code, std::string& out) const;
/*!
\brief Given a warning code retrieved through run(), returns
a verbose message describing the problem of the warning.
\param code The warning code string
\return The warning message string
\throw falco_exception if the warning code is not recognized
*/
inline std::string format(const std::string& code) const
{
std::string v;
if (!format(code, v))
{
throw falco_exception("unrecognized warning code: " + code);
}
return v;
}
private: private:
struct visitor : public libsinsp::filter::ast::base_expr_visitor struct visitor : public libsinsp::filter::ast::base_expr_visitor
{ {
bool m_is_equality_check; bool m_is_equality_check;
std::set<std::string>* m_warnings; std::set<falco::load_result::warning_code>* m_warnings;
void visit(libsinsp::filter::ast::value_expr* e) override; void visit(libsinsp::filter::ast::value_expr* e) override;
void visit(libsinsp::filter::ast::list_expr* e) override; void visit(libsinsp::filter::ast::list_expr* e) override;